PLAT-973 + PLAT-974: parameterize Keycloak host, add Python 3.12 IDE variant#54
Open
ttngu207 wants to merge 1 commit into
Open
PLAT-973 + PLAT-974: parameterize Keycloak host, add Python 3.12 IDE variant#54ttngu207 wants to merge 1 commit into
ttngu207 wants to merge 1 commit into
Conversation
… variant PLAT-973: read KEYCLOAK_HOST and OAUTH_CALLBACK_URL from environment instead of hardcoding keycloak-qa.datajoint.io and the localhost callback. This makes the hub image reusable across environments (QA, prod, new-qa). PLAT-974: add Python 3.12 to the release-image-ide matrix alongside the existing 3.11 build. Existing-version build path unchanged. Residual risks (out of scope per PLAT-973): - verify=False on OAuth callback still in effect (deferred until a real cert) - jupyter_codeserver_proxy still on 1.0b3 beta pin (deferred until upstream GA)
ttngu207
force-pushed
the
plat-973-974-djlabhub-hardening
branch
from
3d15492 to
e058e36
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two djlabhub-docker hardening items for PLAT-590:
jupyterhub_config.pyhardcodedkeycloak-qa.datajoint.ioand the localhost OAuth callback. Replaced with required env varsKEYCLOAK_HOSTandOAUTH_CALLBACK_URL. The container fails to start if either is unset.release-image-ideworkflow now uses a matrix to build both Python 3.11 and 3.12 IDE images.Why now
DJ IDE phase-2 production deployment (PLAT-590) needs the hub image to work outside QA. The hardcoded Keycloak host was a blocker for any non-QA deployment of this image. Python 3.12 proves the multi-version build pattern without committing to a full matrix.
Note on PLAT-973 scope
The ticket originally referenced
dj-gitops/.../codebook/config/jupyterhub_config.py— that file no longer has the hardcoding (cleaned up by the recent ArgoCD migration; all OAuth URLs now live in env-specificvalues-{env}.yaml). The remaining hardcoding is in this repo (djlabhub-docker), matching the architecture-doc gap #7 wording. Retargeted accordingly.Out of scope
verify=Falseon OAuth callback — deferred until a real cert is available.jupyter_codeserver_proxy-1.0b3beta pin — deferred until upstream GA.Test plan
docker build --build-arg JUPYTERHUB_VERSION=4.0.2 -t djlabhub-hub-smoke -f hub/Dockerfile hub/— succeeded.OAUTH2_CLIENT_ID,OAUTH2_CLIENT_SECRET,KEYCLOAK_HOST=keycloak.example.com,OAUTH_CALLBACK_URL=https://codebook.example.com/hub/oauth_callback). Verified the constructed URLs:authorize_url = https://keycloak.example.com/realms/datajoint/protocol/openid-connect/authlogout_redirect_url = https://keycloak.example.com/realms/datajoint/protocol/openid-connect/logoutoauth_callback_url = https://codebook.example.com/hub/oauth_callbackKEYCLOAK_HOSTunset raisesKeyError: 'KEYCLOAK_HOST'at import; running with no env vars at all raisesKeyError: 'OAUTH2_CLIENT_ID'. Container would fail to start, as designed.rhysd/actionlintagainst.github/workflows/singleuser-release.yaml. No new errors. Only diagnostics are pre-existingdocker/login-action@v2"runner too old" warnings on lines 43 and 72 — out of scope for this PR.Deployment
When this image is pulled into a JupyterHub deployment (dj-gitops codebook), the Helm values must set
KEYCLOAK_HOSTandOAUTH_CALLBACK_URLinhub.extraEnv. Update needed indj-gitops/applications/k8s/argocd/apps-values/codebook/values-{env}.yamlif/when this image starts being used in a path where these are not already set elsewhere.